Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What Anti-virus Program Is Right For You? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What Anti-virus Program Is Right For You?

Recently I have been investigating different anti-virus software and trying to determine which is the best for home users and for businesses.
There are so many choices and so many different opinions of which are good and why.  One popular Internet Security website touts
Bit Defender as the best of the best with Kaspersky coming in second and Norton in a very close third.  Another popular website rates VIPRE
on top with Bit Defender in second followed by Kaspersky. Yet another site list Webroot, Norton and McAfee in that order. 

So what does a person do?  How do you determine which is the best and right for you? Is it price? Is it features? There are so many
different programs that it is confusing and perhaps even overwhelming. 

I would like to hear from our readers.  What do you think?  What anti-virus have you chosen for home or work and why?  Let us know
what you think.

 

 

 

 

Deb Hale

Deborah

278 Posts
ISC Handler
I would think Windows users (or non-users, who had it pre-installed on a new PC) are already paying for Microsoft Security Essentials through the license fee, so I would at least use that, unless there was a really strong case for preferring one of the others. I think that is limited to 5 users per 'site' or similar. It succeeded in identifying a single, fresh malware sample when I once tried it; which Kaspersky, F-Secure and other major AV vendors at the time surprisingly missed. There are many other considerations however, such as rate of false positives, system performance with the scanner enabled, and management features especially in enterprise.
Steven C.

171 Posts
Try ESET NOD32
That's all I have been using for years.
I also have a site license for Trojan Hunter.

I use Spyware Blaster and that's all.
Steven C.
20 Posts
For Windows: Kaspersky. It was the only one that found a keylogger hidden in a video card's RAM. McAfee, Symantec, Trend, AVG and Sophos didn't.

For MAC: Avast AV.
ivbarry

1 Posts
In-house program that is classified. Anything out in the market place has already been broken by research institutions.

Andrew
Andrew Wallace

4 Posts
I use avira free version. I used to use the pay-for version, but keeping track of licences and expiration dates became too much of a pain. I also use clamav on the mail server, and 3 tiers of firewalls and a NIDS, and it wasn't until last week that we had a contagious infection of windoze laptops, which likely came from when a machine was off our network and only using its internal defenses. The infection was not too bad -- only 2 machines, but if was comprised of 2 trojans and an ad/spy-ware infection on both machines. One laptop was running xp-pro 32-bit, and the other was running w7 64-bit, so who knows. Anyway a nuke and restore from most recent known good image, followed by a full scan, which proved clean. Then restore the user's data files from the backup server, and one of the users had the infected files in their personal stuff, so I let the a/v delete those file and got a clean scan. Everything seems ok now.
Moriah

133 Posts
I use an interesting and useful antivirus program named "GNU/Linux". It installs easily from a boot CD that repartitions my system to remove all the vulnerable Windows software, then runs the PC with all the personal and business functionality I need.
JSloan

4 Posts
The real protection comes from installing the latest patches an updates and of course safe computing practices. Rarely should your AV have to detect anything, but is there if all else fails. For home use Microsoft Security Essentials - it's free and easy for any home user to operate. For business use Trend Micro - reporting and updating is all centralized so you can easily monitor the whole business. With AV protection sometimes one vendor will be quicker or provide a better cleanup, but next time it will be another vendor. Who is always first isn't nearly important as which product is more maintainable.
JSloan
1 Posts
F-Secure and Kaspersky. Unfortunately F-Secure is very expanive compared to Kaspersky, so many customers are moving to Kaspersky. F-Secure declared ina statement that "government spyware" like Finfisher will be treated as malware.

I try to avoid as much as possible AV from USA because I fear some kind of backdoor (even before the Snowden case) and very popular AV (such as Symantec).
lrosa

5 Posts
http://www.av-comparatives.org/
Dean

135 Posts
Still using F-Prot, but I've been using it since the old BBS days. I've never had a problem and continue to renew it year after year. I don't think any of them are 100% perfect, but this is the one I'm most happy and comfortable with when I have to load Windows for any purpose at all.
Glenn

17 Posts
I'm more and more of the opinion that all virus scanners are just snake oil. Currently I know even one place where clamav is used on some servers just to mark the 'we have a virus scanner' checkbox in a compliance form. Personally I second the opinion that timely installed patches are more important then some additional software with additional bugs and issue. Who honestly wants that?
Glenn
7 Posts
You should consider Heimdal. The free version automatically updated critical 3rd party software on Windows PC but the PRO version also blocks malicious websites and communication to C&Cs/BOTnets. The PRO version also detects malware and especially trojan bankers.

Download Heimdal:
https://www.heimdalagent.com
Glenn
2 Posts
As far as I am aware, the only antivirus product that is free for business use is Comodo - all of the others are only free for personal/home use. (PC Tools used to be free for business use but is no longer listed on their Web site.) Personally, I think that it is bad that very few vendors make the license conditions clear on their Web site - in many cases you only find out that business use requires a paid subscription from the EULA that is shown when you try and install it!
patermann

35 Posts
For home and small business MS security essentials / defender. It seems to have the best rate of being up to date. Most infected computers I have seen have out of date signatures, definitions, or even av software. The best performer cannot perform well if out of date.
G.Scott H.

48 Posts
I use Kaspersky too. A multi-computer license is cheap as dirt on Amazon. I always buy last years cause it includes free upgrades to the current version. I ran MSE for a while but got stung with some AdWare that was pretty intrusive... well it might have malware. Can't quite remember. But nothing would detect it let alone try an clean it except Kaspersky Virus Removal Tool. Not to say I didn't nuke the drive from space once I confirmed what it was... There tech support is horrorable though so bear that in mind.
G.Scott H.
3 Posts
We use (as a first line of defense) software restriction policies. Since implementation, all our AV program (Symantec Endpoint Protection) has done is find malicious files that were downloaded, but blocked from running due to SRP. SRP has some pain points, but the security benefit has been immense.
Anonymous
Quoting Anonymous:The real protection comes from installing the latest patches an updates and of course safe computing practices.


This is often easier said than done in a corporate environment, unfortunately. For instance, take (oh, please take it - grin) java. We have one vendor whose app requires a specific point release of the java plugin that's years old. (sigh - don't even get me started - I recommended we NOT use this vendor for just that reason) And to add insult to injury, we have some Oracle apps that don't work with Java 7, but Oracle no longer provides updates for Java 6. (grrr) So Oracle tells everyone to upgrade to Java 7 to be secure... which some of their own apps are incompatible with. Phooey.

And there's a whole myriad of internal apps at my day job that run on systems which we aren't allowed to patch in a timely fashion because the OS patches all too often break the apps. So patches have to be batched, tested in batches, and rolled out selectively. Unless the application is one for which we no longer have support, in which case management usually proclaims that particular app server is never to be patched again... until it's compromised. (sigh)

Businesses are always having to balance between risk of compromise with risk of downtime of various apps/processes...
Brent

118 Posts
In a business environment, you need to consider more than just the scan engine. Anyone can cherry-pick the one malware that their product caught when the others didn't, and the whole "government back door" thing is so fraught with uncertainty and speculation that it's not really even worth considering. If you're the target of a sophisticated and competent attacker, no AV is going to help you. AV is for trying to mitigate casual low-hanging fruit threats, not APT. Pick an AV that's "good enough" and isn't going to bring your clients to a screeching halt whenever a scan spins up, and leave rest to things such OS hardening, application patching, network security and business processes.

Once you've hit "good enough" on the client side, the main thing to consider is the ability to effectively manage your fleet; whether it's tracking clients, pushing out updates (patches, policies and/or defs) or response options. The main value lies in what you can see and do. A good management console and reporting features will not only help you identify and respond to alerts as appropriate, over time they will build a clear and quantifiable picture of where your main threats and vulnerabilities lie so that you can do something about them. For example, if 40% of your 1200 infections last year were due to random web drive-bys hitting your outdated Java and the cost of a nuke-and-rebuild is $400, you now have a business case to make... "Java infections alone cost this organization almost $200,000 last year, maybe it's time to think about updating our EBS to a version that supports 1.7".

Another practical thing to consider is what you already have. If you're starting from scratch or don't have a robust AV implementation you have the luxury of choosing the best fit from the start. But if you're already a Product X shop you need to think about the transition. How much "better" is Product Y going to be, how does the licensing compare with what you have now, and it is worth the conversion costs? Are your problems truly the result of having sub-par AV, or are you still going to have most of them because they're not actually AV problems (your users all have admin rights, you're still on Java 1.6_13 and Office 2000, etc.)? You need to think about deployment and potentially running two platforms for a while; you need to think about retooling your brain, and those of your support staff, to think "the Product Y way". If Product Y is truly going to get you more than what you currently have, go for it. Otherwise, spend your time trying to make the most effective use of what you have.

So, all that said, the answer to the question. We're still with Symantec; we revisited our AV options about two years ago and decided to stick with them for the various reasons stated above. They have made continual improvements in the client product and we get in-depth and relevant information on the management side. We'll revisit next year to prepare for the next licensing cycle.
bretmavrik

1 Posts
Quoting JSloan:I use an interesting and useful antivirus program named "GNU/Linux". It installs easily from a boot CD that repartitions my system to remove all the vulnerable Windows software, then runs the PC with all the personal and business functionality I need.


If only everyone used this solution malware would just go away.
Anonymous
Microsoft AV is not worth the money (free). Microsoft repeatedly states, that it can't stand alone. Needs a fully patched machine if it is supposed to protect the machine, and it will detect a subset of malware, which is the malware that is currently the biggest threat for most of their customers as decided by MS. That is why it normally comes out with the lowest detection rate. Works as designed.

But any AV product is better than none for most users.
Povl H.

71 Posts

Sign Up for Free or Log In to start participating in the conversation!